Home/ Questions/Q 8188605
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T02:58:14+00:00

I inspected our web application with the Audit feature in the Google Chrome developer

  • 0

I inspected our web application with the Audit feature in the Google Chrome developer tools.

First I got a warning, indicating that we are serving our static content none-cacheable: “The following resources are explicitly non-cacheable. Consider making the cacheable if possible”.

To fix this I added this snippet to our web-config

<staticContent>
    <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" />
</staticContent>

as recommended in this blog post:
http://blogs.msdn.com/b/carlosag/archive/2009/06/09/are-you-caching-your-images-and-scripts-iis-seo-can-tell-you.aspx

If I now start a new audit in google chrome, I get a new warning:

The following publicly cacheable resources contain a Set-Cookie
header. This security vulnerability can cause cookies to be shared by
multiple users.

Can you explain the potential security threat and what is a possible solution in Asp.net?

[Update]

After some more research, I guess this could be related to this question:

Why is ASP.NET forms authentication setting cookies on a static image request?

But I can’t put the puzzle together. The situation is not exactly the same, while our application could be configured to use forms authentication, I got the warning while using windows authentication.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It looks like the problem was really related to forms authentication. After authenticating the user we set a forms authentication coockie. This coockie has no path set, so it will be sent for every request, even for static images.

    It looks like I still had the coockie set from a previous debug session even though I was testing windows authentication.

    I think the best solution would be to set a path for the coockie to prevent it from being sent for static resources. Unfortunately I can not define a path for all our service requests, because we are using WCF Ria Services and the services have a virtual path created a runtime.

    The solution for now is set the coockie only in the browser. The updated entry in the web config is:

    <staticContent>
    <clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="7.00:00:00" cacheControlCustom="private"/>
</staticContent>

    The important part is the new cacheControlCustom attribute.

    I guess this could still be a security problem, if a browser is shared by more than one user (e.g. in an Internet cafe?), but this is not a valid scenario for our project.

    • 0